https://github.com/adrianvillamayor/vaultsieve
A Python terminal assistant for auditing exported password vaults for duplicates, weak passwords, reuse, and optional breach exposure.
https://github.com/adrianvillamayor/vaultsieve
audit breach-check hibp password password-manager privacy python security security-tools tui vault
Last synced: about 1 month ago
JSON representation
A Python terminal assistant for auditing exported password vaults for duplicates, weak passwords, reuse, and optional breach exposure.
- Host: GitHub
- URL: https://github.com/adrianvillamayor/vaultsieve
- Owner: AdrianVillamayor
- License: apache-2.0
- Created: 2026-05-13T10:18:42.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-13T16:15:18.000Z (about 2 months ago)
- Last Synced: 2026-05-13T16:36:05.370Z (about 2 months ago)
- Topics: audit, breach-check, hibp, password, password-manager, privacy, python, security, security-tools, tui, vault
- Language: Python
- Homepage:
- Size: 500 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Agents: AGENTS.md
Awesome Lists containing this project
README
Audit your exported password vaults. Find duplicates, weak passwords, breached services, missing 2FA, and dead domains — then clean up.
Quick Start ·
Features ·
Formats ·
Report Preview ·
Privacy
---
## HTML Report
## Features
- **Interactive TUI** — arrow-key guided assistant by default, or direct CLI for automation
- **10 analyzers** — duplicates, reused passwords, weak/empty passwords, insecure HTTP, domain concentration, plus optional HIBP password checks, known breached services, 2FA availability, and domain existence
- **4 report formats** — terminal summary, TXT, JSON, and self-contained HTML with health score, severity chart, action board, and filterable findings table
- **Dark and light themes** — HTML report follows system preference, toggleable, persisted
- **Clean output** — generate a deduplicated/cleaned vault export without touching the original
- **Passkey and SSH-key aware** — skips password-specific checks where they don't apply
- **Privacy first** — all checks run locally; optional HIBP uses k-anonymity (only 5-char SHA-1 prefixes sent); no emails or usernames ever leave your machine
- **Persistent config** — set defaults once via TUI or `vaultsieve config`, override per-run with CLI flags
## Supported Formats
| Manager | Formats | Notes |
|---------|---------|-------|
| **Bitwarden** | JSON | Login items (type 1), passkeys, TOTP |
| **LastPass** | CSV | TOTP detection |
| **Dashlane** | CSV, ZIP, JSON | ZIP extracts `credentials.csv`; `.dash` rejected with clear error |
| **1Password** | CSV, 1PUX | Auto-detected by extension |
| **KeePass / KeePassXC** | CSV, XML | Recycle Bin filtered; TOTP from custom fields |
| **Keeper** | CSV, JSON | CSV auto-detects headers vs positional |
| **RoboForm** | CSV | BOM-safe (`utf-8-sig`) |
| **Generic CSV** | CSV | Needs `name`, `url`, `username`, `password` columns — works with Chrome, NordPass, Google Password Manager, Firefox, and others |
Adding new importers is ~20 lines; see [`docs/adding-importers.md`](docs/adding-importers.md).
## Quick Start
**Install with pipx:**
```bash
$ pipx install git+https://github.com/AdrianVillamayor/VaultSieve.git
$ vaultsieve
```
**Or via install script:**
```bash
$ curl -fsSL https://raw.githubusercontent.com/AdrianVillamayor/VaultSieve/main/install.sh | bash
```
**Development install:**
```bash
$ python3 -m venv .venv && .venv/bin/python -m pip install -e '.[dev]'
$ ./vaultsieve
```
See [`docs/install.md`](docs/install.md) for all install methods including Homebrew.
## CLI
Run without arguments to launch the interactive TUI:
```bash
$ vaultsieve
```
Or run audits directly:
```bash
$ vaultsieve audit vault.json --format bitwarden
$ vaultsieve audit passwords.csv --format csv
$ vaultsieve audit export.zip --format dashlane
```
For Dashlane, 1Password, KeePass, and Keeper the file extension (`.csv`, `.json`, `.xml`, `.zip`, `.1pux`) picks the right parser automatically.
### Optional Checks
All optional checks are off by default. Enable them per-run or set defaults with `vaultsieve config`:
```bash
$ vaultsieve audit vault.json --format bitwarden --check-breaches # HIBP password check
$ vaultsieve audit vault.json --format bitwarden --check-known-breaches # breached services
$ vaultsieve audit vault.json --format bitwarden --check-2fa # missing TOTP
$ vaultsieve audit vault.json --format bitwarden --check-domains # dead domains
```
### Reports and Clean Output
```bash
$ vaultsieve audit vault.json --format bitwarden --report-dir reports
$ vaultsieve audit vault.json --format bitwarden --clean-output clean.json --clean-mode all
```
Clean modes: `duplicates` (default), `obsolete`, `all`.
### Config
```bash
$ vaultsieve config list # show all settings
$ vaultsieve config set check_2fa true # enable by default
$ vaultsieve config set output_formats html,json # choose report formats
$ vaultsieve config unset report_dir # reset to default
```
## Safety & Privacy
- Never modifies the original vault file
- Reports never include plaintext passwords
- HIBP password checks use k-anonymity — only 5-char SHA-1 prefixes sent, with padding
- Known breach and 2FA checks download public catalogues and match locally
- Domain checks use DNS only — no credentials sent
- All optional network checks are disabled by default
Full details in [`docs/privacy.md`](docs/privacy.md).
## Tests
```bash
$ python3 -m pytest
```
## Contributing
Pull requests are welcome. For major changes, please open an issue first to discuss what you would like to change.
Please make sure to update tests as appropriate.
## License
[MIT](LICENSE) — Adrián Villamayor